has any decent research been done with CPS3 carts?

smkdan · Jul 9, 2010

I kind of forgot about all this until I played a 2nd impact machine a few times week. It's been cracked and emulated for years but that doesn't really reveal any in depth info on how the cart functions. MAME doesn't emulate the cart SH2 / has no need to. It just decrypts the BIOS at driver init and that's enough to get the mainboard SH2 up and running it seems. The cart SH2 supposedly has some role in this but the decryption info in MAME driver along with what I see in google is very vague. Can't seem to find any info on the exact dependencies the mainboard has on the cart SH2.

I know that Guru already tried using regular SH2 with decrypted BIOS code with no success. One of the first things I saw Warzard do is test that decryption is actually active. It would crash on a regular SH2 running a pre-decrypted BIOS since it's written in a way that relies on decryption happening at runtime. A regular SH2 won't work, although removing this check is trivial along with others like it. I'm sure there's alot more to it than that though.

so has anyone actually taken any notes on the cart / slot that aren't published anywhere? I wouldn't mind owning one of these when all this suicide stuff is dealt with, but it looks like there's no progress on this at all from what I see in Google.

kernow · Jul 9, 2010

Theres a thread over at AO with artemio (on here too) discussing it.

http://forum.arcadeotaku.com/viewtopic.php?f=26&t=8576&hilit=cps3+decrypt

Thats all I've seen really.

Someone really needs to tackle it though.

smkdan · Jul 9, 2010

When I read through that thread I wondered what the fuss about that menu was. There doesn't seem to be anything about reprogramming the security cart anywhere. I could dig up the key combo or hack the BIOS to access it but it looks more like a diagnostic thing for Capcom techs. The MAME driver mentions a hidden menu to reprogram the security cart which might be the same one there, don't know. Can't find any strings about loading the security cart with anything though. Or even if the system itself is capable of it on its own. The macro processor looks interesting though.

Lack of info on the hardware sucks, especially since the encryption is surprisingly crude for something that succeeded the CPS2.

kernow · Jul 9, 2010

Please sort it out, I've wanted a cps3 setup for years. I imagine the price will rise once it is actually fixed though.

smkdan · Jul 9, 2010

Honestly I'm not suited for the job. I'm mediocre with hardware and I don't own the working CPS3 setups + logic analyzers to really figure out what's going on with the two CPUs. Not even a dead cart to make a pinout from, which would atleast drop a few hints. Too many unanswered questions about the whole setup.

I can modify the BIOS and program the CPS3 but it's not as helpful for RE'ing the security cart.

kernow · Jul 9, 2010

video_disease · Jul 9, 2010

I would love to have a CPS3 setup as well, but I don't want to piss away $$$ on something that might eventually crap out no matter what I do.

Razoola · Jul 9, 2010

If I ever stop work and have the time I will look at CPS3 one day. With these things however you can't really go off what other people have tried and take it as read it will not work. You have to go from scratch in case they made errors.

From my understanding the code is in the one of the bios's to reprogram the keys, DEVs know how to reprogram the key as the SH2 has direct access to the memory range used. The only issue is getting the SH2 to run to reprogram the key. I believe this is what guru was trying to do when he replaced the SH2 with a standard one.

I myself am of the impression that it would be possible to get games running from a dead cart using a bios in a format the SH2 will understand without keys.

mainman · Jul 9, 2010

smkdan said:
Honestly I'm not suited for the job. I'm mediocre with hardware and I don't own the working CPS3 setups + logic analyzers to really figure out what's going on with the two CPUs. Not even a dead cart to make a pinout from, which would atleast drop a few hints. Too many unanswered questions about the whole setup.

I can modify the BIOS and program the CPS3 but it's not as helpful for RE'ing the security cart.

If you can do the software end and modify the bios and cd rom software, I can do the hardware and probe/modify the cart.

sammybean · Jul 9, 2010

smkdan said:
Honestly I'm not suited for the job. I'm mediocre with hardware and I don't own the working CPS3 setups + logic analyzers to really figure out what's going on with the two CPUs. Not even a dead cart to make a pinout from, which would atleast drop a few hints. Too many unanswered questions about the whole setup.

I can modify the BIOS and program the CPS3 but it's not as helpful for RE'ing the security cart.

mainman said:
If you can do the software end and modify the bios and cd rom software, I can do the hardware and probe/modify the cart.

Neo teamwork ftw! :mr_t:

video_disease · Jul 10, 2010

How long does a battery last in a CPS3 cart anyway? Will it die out even with constant play?

Supasaru · Jul 10, 2010

Wow, sounds great. I've always held off on buying CPS3 stuff for the same reason.

There's a few shops out there that I've seen that offer to refresh EEPROMs on the CPS3. I'm still avoiding CPS3....

Razoola said:
You have to go from scratch in case they made errors.

You should see all the garbage about the System 246. 60% of it is completely wrong (DVD-drive magic firmware? Nonsense) and the other 40% is only half information.

I have yet to get a single legitimate answer from "experts at System 246 dongle repair" on whether or not this stupid dongle is just an 8M PS2 memory card or if it has a different ASIC or what.....

smkdan · Jul 10, 2010

@Razoola: If the keys in the cart SH2 are wiped, and the keys change to some determinate value (all FF?), a BIOS could be encrypted as such that it would correctly decrypt given these keys. Is that what you are suggesting? I wonder if someone has tried that. If the cart SH2 has direct access to the key SRAM maybe it will panic if detects the keys are wiped. Do you know if it its code is stored internally or if it shares code space with the BIOS? I have no idea how control is passed between the two SH2s. At some point, assuming the two keys are stored in the cart SH2, it will have to send the keys to the mainboard SH2 since it's used for the main program SIMMs + RAM. Not sure how/when but it must happen at some point.

Have you considered disassembling a late game BIOS? I only have bits and pieces from 3S and Warzard. Already I see alot of writes to unemulated regions which may be security related. They obviously aren't required for the gameplay portions to function since MAME does fine without emulating these. Maybe the secret SRAM rewriting code will pop up somewhere, but it's alot of work for something with no 100% confirmation that it actually exists.

@mainman: have you ever done a pinout on the security cart / BIOS / cart SH2? As far as trying software stuff, I wonder what would happen if the simplest code to get something on screen was used in unencrypted BIOS with stock SH2. Capcom BIOS is written to crash quickly if this happened but if I homebrewed a simple CPS3 program without any of that I wonder how far it would get.

Razoola · Jul 10, 2010

smkdan said:
@Razoola: If the keys in the cart SH2 are wiped, and the keys change to some determinate value (all FF?), a BIOS could be encrypted as such that it would correctly decrypt given these keys. Is that what you are suggesting?

Yes. It could be more than just keys that are wiped though like with CPS2.

smkdan said:
I wonder if someone has tried that.

I have no idea.

To be honest reprogramming the keys is not the way I would go about it myslef. I would rather a fix that made the game suicide free. In fact if I did manage it at some point in the future I would create a cart bios that could load any of the six games of choice.

smkdan · Jul 11, 2010

Razoola said:
Yes. It could be more than just keys that are wiped though like with CPS2.

It probably is more complicated but if it hasn't been ruled out yet and someone has a dead cart they can flash, it would be worth a shot. If someone is willing to try then a special BIOS can be prepared.

A universal BIOS for all games would be ideal for sure. Being able to take any dead cart and running all 6 with it would be great.

I'll disassemble the 3S BIOS bit by bit in the mean time. It'll be good to know exactly how a real cart gets up and running.

mainman · Jul 11, 2010

smkdan said:
It probably is more complicated but if it hasn't been ruled out yet and someone has a dead cart they can flash, it would be worth a shot. If someone is willing to try then a special BIOS can be prepared.

A universal BIOS for all games would be ideal for sure. Being able to take any dead cart and running all 6 with it would be great.

I'll disassemble the 3S BIOS bit by bit in the mean time. It'll be good to know exactly how a real cart gets up and running.

I've done a partial pin out of the SH2 before giving up due to not being able to find a partner for the software end of the project.

I have been able to to only guess the SH2 from a STV/Saturn board would make a good substitute as far as pinout/frequency.

I have the gear to easily reflash the bios and although not a easy task I can also replace the SH2 if need be

Orochi P-E · Jul 11, 2010

hehe sounds really interesting soon we'll have phoenix cps3 ^^
go on men !! if spare dead carts or mobo are needed shoot me a pm

smkdan · Jul 11, 2010

well here's the first attempt:
http://smkdan.eludevisibility.org/cps3/deadbios.zip
Encrypted third strike BIOS with a bit of protection code patched out. Both keys all FF byte so if a dead cart happens to use those, it might work. Doubting it is that simple but it really should be ruled out. Any suggestions welcome obviously.

mainman: can you try flashing any dead cart with this and see what happens? Doesn't have to be a 3S just any dead cart with the original Capcom SH2.

Trying decrypted + patched BIOS with regular SH2 is another idea but it's alot of hassle on your end for something that probably won't work.

mainman · Jul 12, 2010

smkdan said:
well here's the first attempt:
http://smkdan.eludevisibility.org/cps3/deadbios.zip
Encrypted third strike BIOS with a bit of protection code patched out. Both keys all FF byte so if a dead cart happens to use those, it might work. Doubting it is that simple but it really should be ruled out. Any suggestions welcome obviously.

mainman: can you try flashing any dead cart with this and see what happens? Doesn't have to be a 3S just any dead cart with the original Capcom SH2.

Trying decrypted + patched BIOS with regular SH2 is another idea but it's alot of hassle on your end for something that probably won't work.

Tried it with the stock SH2 and no go, still a dead stick

smkdan · Jul 12, 2010

mainman said:
Tried it with the stock SH2 and no go, still a dead stick

Just realized that one is completely broken. I made some major errors since I didn't have the proper hardware manual and I never touched SH2 until now. There's no 'decryption check', it is standard for SH2 startup but it still stops plain SH2 swaps from working without custom BIOS. Sometime tomorrow I might have a fixed one to try.

WupWuh · Jul 12, 2010

A bit of a n00b question here, but could someone link me to a screw driver that will take off the screws on a CPS3 security cart? I got a dead one that I had intended just to mess around with and wasn't entirely sure the bit I need to unscrew those things with. I read that they were referred to 'system zero' screws. Sorry for the derail and thanks for any responses.

mainman · Jul 12, 2010

WupWuh said:
A bit of a n00b question here, but could someone link me to a screw driver that will take off the screws on a CPS3 security cart? I got a dead one that I had intended just to mess around with and wasn't entirely sure the bit I need to unscrew those things with. I read that they were referred to 'system zero' screws. Sorry for the derail and thanks for any responses.

Dude small needle nose pliers .

WupWuh · Jul 12, 2010

mainman said:
Dude small needle nose pliers .

Oof, did not even think about that. Thanks!

smkdan · Jul 13, 2010

Another BIOS to try. Encrypted with same keys and triple checked for silly mistakes. I can't really test it from my end though. If it doesn't work, it definitely doesn't use these keys.

mainman · Jul 13, 2010

smkdan said:
Another BIOS to try. Encrypted with same keys and triple checked for silly mistakes. I can't really test it from my end though. If it doesn't work, it definitely doesn't use these keys.

Will try it this friday

has any decent research been done with CPS3 carts?

Galford's Armourer

The Goob Hunter

Galford's Armourer

The Goob Hunter

Galford's Armourer

The Goob Hunter

Kuroko's Training Dummy

Divine Hand of the UniBIOS,

CPS2 Person.,

Shigen's Fitness Trainer

Kuroko's Training Dummy

Windjammers Wonder

Galford's Armourer

Divine Hand of the UniBIOS,

Galford's Armourer

CPS2 Person.,

n00b

Galford's Armourer

CPS2 Person.,

Galford's Armourer

Krauser's Shoe Shiner

CPS2 Person.,

Krauser's Shoe Shiner

Galford's Armourer

CPS2 Person.,